The federal government says there has been no breach of the Department of Human Services' IT systems and the Medicare card data currently on sale likely affects only a small number of people.
Human Services minister Alan Tudge today made the comments despite the dark web vendor of the Medicare information claiming to have access to any Australian's Medicare card.
The Guardian revealed today that an unknown individual was offering the details for around A$29 per file.
The online sale - confirmed by iTnews - claims the "Medicare patient details ... of any Australian citizen" can be accessed for A$29 and the person's first and last name and date of birth.
"Details provided include Medicare number, IRN and expiry date," the listing states.
The vendor also promised to soon offer "mass batch requesting of details" via CSV file. He/she claims to have accessed the details through a vulnerability with a "solid foundation".
The federal government today sought to downplay the impact of the security breach, arguing health records had not been affected.
In a press conference on Tuesday afternoon, Human Services Minister Alan Tudge said there was "no indication there has been a wide-scale breach".
He said DHS had informed him there had been no breach of its systems.
The information the vendor asks for in return for a Medicare number - full name and date of birth - is the same data required for a search on Human Services' HPOS Medicare verification service for healthcare providers.
"When a Medicare card number is unavailable, you can enter personal information such as surname, first name and date of birth for the patient," its website states. These are the only mandatory search fields.
It will return a Medicare card number, individual reference number (IRN), and first name - the same data the vendor promises to supply after payment.
While the government claimed that the breach had not impacted health records, a 2015 privacy impact assessment on the then-named PCEHR e-health records opt-out scheme shows records can be accessed with the above combined data.
The 2015 privacy assessment (archived) on the now-named My Health Record program shows an individual's record can be accessed by a healthcare provider with their full name, date of birth, gender and Medicare card number.
Privacy expert Anna Johnston of Salinger Privacy, who worked on the assessment, said the addition of the Medicare card number was intended to stop healthcare workers trawling through the system to look up people who weren't their patients.
"But if all that is needed to find out someone’s Medicare number (whether unlawfully through a data breach, or by design through the health provider portal) is their full name and date of birth, then to me this seems to undermine one of the ways that privacy risks were supposed to be minimised in the design of the My Health Record system," she told iTnews.
She noted that while the impact of this type of abuse of the system would currently be limited given the MyHR system is in the early stages of transitioning to opt-out, it would quickly have much wider implications as the rollout scales.
"[The shift to opt-out] is going to significantly shift privacy risks onto patients," she said.
"Unless the way healthcare providers access the My Health Record system has tightened up since the review published in 2015, then I am concerned that today’s revelations about the easy accessibility of Medicare card numbers will further expose patients to risk."
The government became aware of the problem yesterday when contacted by the Guardian and has referred the matter to the Australian Federal Police.
The data is of interest to criminals who could use it to defraud the government of Medicare rebates, or use the card data as part of 100 ID point checks.
Deputy opposition leader Tanya Plibersek called on the government to "immediately" explain what it knows about the breach.